Use purchasing processes to reflect priorities and risks. Risk retention is the most common way to manage risk. Organizations and individuals face an almost unlimited number of risks and, in most cases, nothing is done against them. If no positive action is taken to avoid, reduce or transfer the risk, the possibility of a loss related to this risk is preserved. Risk-fixing can be deliberate or unconscious. Risk is deliberately linked when the risk is perceived and is not transmitted or reduced. If the risk is not detected, it is unconsciously maintained – the person keeps the financial risk without realizing that he is doing so. The conservation of risks may be voluntary or involuntary. A voluntary commitment to risk is when the risk is identified and there is an agreement to cover the resulting losses. This happens when there are no more attractive alternatives. An involuntary risk commitment is made when risks are met unconsciously or when it is not possible to avoid, transfer or reduce the risk. Risk conservation may be the best way to do this.
Everyone decides to keep what risks and those to avoid or transfer. A person may not bear the loss. What can be a financial disaster for one can be managed by another. As a general rule, only the risks that should be maintained should be those that can lead to relatively small losses. Fundamental criteria include risk assessment criteria, efficacy criteria and risk acceptance criteria. In defining risk assessment criteria, the organization should consider the strategic value of the business information process. Criticism of relevant information resources legal and regulatory requirements and contractual obligations; Operational and commercial importance of information security attributes; The expectations and perceptions of stakeholders, as well as their negative consequences on goodwill and reputation. Impact criteria indicate the degree of damage or cost to the organization as a result of an information security event. The development of impact analysis criteria includes a review of the classification of the subject matter; Information security breaches Transactions that have been harmed; loss of commercial and financial value; Interruption of plans and deadlines reputational damage and violations of legal, regulatory or contractual requirements. Risk acceptance criteria depend on the directions, objectives, objectives and interest of stakeholders. When developing risk acceptance criteria, the organization should take into account business criteria. Legal and regulatory aspects Operations Technology Funding 25 changes to the medical center`s computer networks.
B by adding a new system or upgrading an existing system, lead to a shift of risks to the network, which must be managed and accepted by the Medical Center. UVa Medical Center`s risk-accepting strategy depends on three key processes: conducting risk assessments, implementing risk reduction, and obtaining informed approval from management. There will always be vulnerabilities that will not have a solution (patch or solution) or for which the fix will require a long-term plan to address and test the solution. How do you manage and follow them so that they are not lost? To address these scenarios, you can implement the existing risk-averse/exemption process, which we reviewed in Chapter 8.
